Ahead of the Legislation

Insightive.tv: What is your perspective on the role of CISO in general, where do you see it going in the future?

Monica: The role is becoming an extremely important one as cybersecurity becomes an ever increasing concern. The battle to keep up with the security requirements, both regulatory and those of practical necessity, is critical.

In Europe, some new legal and regulatory requirements are coming from GDPR. But, all over the world, increases in standards and regulations are pushing a direct need for the CISO to be in continuous communication with senior management. There is also a convergence between information security, technology and privacy teams. Our privacy legal team sits in our Risk function, where my position — CISO — is also located. That means that conversation and collaboration between security and privacy teams are already strongly developed. This position was decided years ago in Italy to ensure a direct reporting line with Risk Management and a correct segregation of duties from IT.

There is also an increasing conversation about what the qualifications for the position should be. There is more pressure to possess managerial and business skills, in addition to the technical security and technological competencies of the role. This makes the position a difficult one to fill because there is already a shortage of people with technical security skills.

One of the big questions we are struggling with moving forward is — does our legal team need to become more technologically informed, or do we need to become more legal minded ? Our response right now has been to continue working closely and collaboratively without trying to recruit or re-educate the skills of the other.

Insightive.tv: What do you see as the biggest drivers of change?

Monica: Legal and regulatory necessities combined with changes in technology. The whole world has gone digital. At PwC, we have a huge transformation project in IT to innovate our technology and become a state of the art technology player —security needs to keep up with that.

The threat of hacks is a problem that is constantly increasing. The problem used to be keeping up with patch releases, but now we also have to focus on keeping ahead of malware. This challenge, and the honest impracticality of effectively keeping on top of all of these developments, is driving a need to compliment detection programs that rely on traditional signature-based anti-malware systems with preventative programs using more sophisticated methods like behavioural analysis, self-learning, fingerprinting, white/black listing, etc.

Insightive.tv: Do business issues ever act as direct drivers?

Monica: Increasing demand for technology support is one of the large business issues that is driving a need for greater security — everyone wants an app, and we have to make sure that those apps are secure. There is an increased demand for consultancy services, particularly tax and legal services, but we are seeing it even for audit services

Technologies advance from emerging to mature states in such a short number of years and become readily available on the market, like for example cloud services, and the business want to adopt these services, they need to adopt them to keep a competitive advantage. The issue is “are they secure” and if not, how do we make them secure. This kind of dilemma exists across almost all services and grows along with our technological capability.

Insightive.tv: Does this mean that you see cybersecurity as an enabler, or is it always considered a necessary cost?

Monica: We have a motto of trying to be enablers, and not to be an obstacle. It is very easy to say no. Instead, we try and find a secure solution. This approach, though, is often easier the earlier we get involved in a project. There have been some projects in which we got involved too late, and then you can be perceived as an obstacle. But that is simply because the approach that is being taken is fundamentally insecure.

I would say that the growth of our involvement in projects, and the fact that our business partners come back to us again on new projects, means that they have had a good experience involving us. Usually, we manage to develop collaborative relationships with our business partners.

Insightive.tv: How do you go about measuring the Return on Investment from cybersecurity?

Monica: As mentioned above, business partners coming back and involving us earlier in the next projects is always an indication that our previous involvement was beneficial. In terms of measurement, we have internal KPI’s that statistically monitor our performance, for example, measurements it in terms of security breaches and problems — or the lack thereof. In Italy, thankfully, we have not had any significant breaches to date. Although, there does seem to be a degree to which the question of cyberattacks is becoming ever more ‘when’ not ‘if.’

Regular internal audits, self-assessment and monitoring of compliance with policies and procedures also provide us with a good indication that investments have increased our control maturity posture.

Insightive.tv: Have recent regulatory changes, and the GDPR specifically, had an impact on business thinking and digital transformation projects?

Monica: Currently, I would say that the new European regulations over auditing are the number one priority to date, of regulatory changes, certainly for our risk leadership team but the GDPR is a close second. It has certainly brought more attention to cybersecurity in general.

In Italy, we have historically had very stringent data protection laws, similar to the situation in Germany. I am not a solicitor, but a lot of the new regulatory changes are actually requirements that we, in Italy, have already been required to meet. We will, of course, need to review some of our programs in the light of GDPR, but I think that we are already in compliance with most of the new requirements. For example, there is a lot of talk about how GDPR introduces new requirements around defining data retention periods: while we may need to improve or update some processes around the destruction or return of data after the retention period expires, the aspects relating to identification and definition of the retention period are steps we are already undertaking.

There is also a lot of talk about the requirement to have very updated and sophisticated security technology. We already have a significant number of security tools and systems, for example, system logging and SIEM to monitor administrators’ access. But we are looking at new tools and technologies, for example, CyberArk to help us better with both our local regulation compliance and changes coming with GDPR.

Fortunately, we have a security transformation program ongoing for over a year now in PwC globally in order to update our security technology for many reasons, but this will certainly also help with GDPR readiness.

Insightive.tv: Does this mean that you see the GDPR as an opportunity for which you are already prepared?

Monica: I would say that it is an opportunity for us to more easily convince business partners of the merits of our internal security policies and procedures that we have already been adhering to. So yes.

At PwC we have very strong internal policies and procedures relating to security generally, but it is sometimes hard to convince our business partners that these internal policies are a must. When there is a legal requirement it becomes a must, rather than a ‘should do.’ There are aspects that we do not already have in place, but we have programs and projects in progress that will allow us to meet the requirements. Fortunately, we were working on these projects anyway — for reasons beyond the GDPR, so it just gives us more justification to proceed.

I would say, however, that I feel there is a degree to which security vendors and the business media are pushing fear about this regulation that is potentially out of proportion to its requirements. IT vendors and in particular security technology vendors are jumping on this as an opportunity to sell their products. And this is making it seem like the new data protection law is all about technology. Yes, a lot of it is technology, and all the better for us. Anything that puts information security on the agenda is, in my view, badly needed. A lot of the current data protection laws are antiquated and obsolete and do take into account the state of technology today. There are unresolved issues with data transfers cross-borders that can cause many obstacles for global companies. So an update of the legislation is welcome, especially with regards to its references to technology, but this is not all about technology.

You need to involve the legal team, the data privacy team and you need to work very closely with them. The convergence of the role of CISO and Data Privacy Officer and the need for them to collaborate on a daily basis is absolutely going to be fundamental going forward, if not already. I feel lucky, as I said, that this is something we already do in Italy.

I do think that there are companies and countries that will struggle to meet these new requirements. But I also think that more is being made out of this than will actually result from their implementation. Equally, I agree with the advice that we should not put off preparing for these changes, even though the deadline is still a couple of years away. Perhaps I don’t feel too concerned because we haven’t put it off — we are working on the requirements already.

Monica Gillane is CISO at PwC Italy — working in that role for the last five years to build the internal security practices within the firm. Monica had a background in IT, before qualifying as a Chartered Accountant and has been working within PwC for almost decades. We sat down with Monica to get her perspective on the GDPR — its impact on digital transformation, and the evolving role in CISO is an ever digitising age.

PricewaterhouseCoopers is the second largest professional service firm in the world. They are one of the Big Four professional auditors, operating in 157 countries.